On this page

How To Set Up OpenVPN To Authenticate With LinOTP

Introduction

This howto will show you the way to set up OpenVPN to authenticate users against the LinOTP authentication backend. Thus you can bring up your VPN using two factor authentication with different kind of OTP tokens.

If you only have a few users or a few machines and using your smartphone as your token suites you, you should probably take a look at this howto on this site.

But on the other hand if you need to manage several users with different kind of tokens, you should go on reading this howto.

Setting up LinOTP

First you need to set up LinOTP. There are several ways to do this. You can download Debian and Ubuntu packages or you can install the system using the Python Package Index. It provides a good quick start to get the service up and running for demo purposes (check for the latest version).

You might install the LinOTP backend together with the OpenVPN daemon on the same machine to keep things straight and simple.

Configuring PAM for LinOTP

There are different ways to authenticate against LinOTP. You can use the Web API or a RADIUS server, but you can also use a PAM module to authenticate with your OTP tokens.

LinOTP provides a pam_linotp written in C, which is contained in the authentication modules. But we do not want to go through the hassle of compiling the C stuff today and install all the necessary devel packages.

Please note, the first parameter after the pam_python.so module is the python module, that you installed or copied. And you need to provide a URL, where the LinOTP server is located. If you installed LinOTP on the same machine like OpenVPN is about to run, you can leave this as "localhost". Otherwise adapt the name or IP address accordingly.

In the URL you also need to adapt the protocol (running LinOTP on https or http) and the port.

We now have a simple file common-linotp, that we can later use to include into our PAM definitions.